Unbound vs. Pihole



  • Which offers better DNS resolving/caching performance for a network with ~500 devices, the built-in Unbound or a dedicated PiHole device/VM? I'm trying to determine how to implement my network.


  • Rebel Alliance Global Moderator

    Pihole has nice interface to view amount and type of dns queries.. You do understand you can bring up a pihole and then just have it forward to unbound running on pfsense which then resolves.. It does not need to be an either or sort of setup..



  • pfBlockerNG-devel also has a nice interface. As for performance, this really depends on the hardware you run it on. If you run pfSense on dedicated and potent amd64 hardware with a good amount of RAM it will be able to handle much more than PiHole on a small RaspberryPi. If you run both on similar hardware I wouldn't expect any noticeable performance difference, though separating your DNS from your firewall might make a bit of sense in a security perspective.

    If you intend on virtualizing both anyway then there is no harm in trying both approaches and then choose the one that performs best for your specific environment.


  • Rebel Alliance Global Moderator

    @grimson said in Unbound vs. Pihole:

    pfBlockerNG-devel also has a nice interface.

    Ok - sure... But sorry its not as eye candy pretty as piholes ;) Nor does it give really a nice overview of in graph over time.. Also unless I am missing something where can you click in and see actual queries per client?

    You can use both was my point.



  • @johnpoz said in Unbound vs. Pihole:

    Ok - sure... But sorry its not as eye candy pretty as piholes ;)

    Agreed, though I'm not the eye candy guy.

    Nor does it give really a nice overview of in graph over time.. Also unless I am missing something where can you click in and see actual queries per client?

    You can define filters on the reports tab, but you will only see blocked requests. Also the DNSBL stats tab has some graphs too.

    You can use both was my point.

    Which adds another point of failure and unneeded complexity, in my opinion.



  • @grimson said in Unbound vs. Pihole:

    pfBlockerNG-devel also has a nice interface. As for performance, this really depends on the hardware you run it on. If you run pfSense on dedicated and potent amd64 hardware with a good amount of RAM it will be able to handle much more than PiHole on a small RaspberryPi. If you run both on similar hardware I wouldn't expect any noticeable performance difference, though separating your DNS from your firewall might make a bit of sense in a security perspective.

    If you intend on virtualizing both anyway then there is no harm in trying both approaches and then choose the one that performs best for your specific environment.

    Thanks. I had planned to virtualize pfSense and PiHole. I'll do some lab testing first before I deploy.


  • Rebel Alliance Global Moderator

    @grimson said in Unbound vs. Pihole:

    Which adds another point of failure and unneeded complexity, in my opinion.

    Yeah sure - you could say using pfblocker on top of unbound adds a level of complexity and for sure adds another point of failure as well ;) heheh

    How many posts here come down to pfblocker ;) Many of them are self inflicted sure - the complexity point for sure.. I can tell you for sure pihole is designed for your typical idiot user.. While pfblocker and all its features requires way more understanding then pihole..

    I like it because it gets me an easy way to get an overall quick picture of how many dns queries total block and allowed are going on.. And how the big hitters are - freaking roku sticks sure want to phone home to their log servers for example ;) And windows machines sure like to try and talk to those telemetry servers as well..

    The OP is the one that brought it up - My only point is your not limited to just using 1 or the other.. Your just suggesting complexity and points of failure via another software package on top of the unbound running on pfsense. pfblocker is way more complex than pihole, and even it running on pfsense doesn't mean its not another thing that could fail vs running something on another vm or pi for that matter..

    I think the OP has the right idea - play with it all and see what is best suited for his wants and needs.. Just don't think you need to limit yourself to just using 1 thing. You could use unbound with both pfblocker and a pihole instance, etc..



  • +1 for pihole. I've been using it for about a year now.



  • I'm using a pair of Pi-Holes for redundancy, very nice to have the list updates staggered a few hours on each so there is never any DNS downtime like there is on a single Pi-Hole setup.

    Client -> Pi-Hole -> pfSense -> OpenDNS (both ipv4 and 6 filtered servers)